Windows 10 PCs can crash from this single character — update right now

blue screen of death
(Image credit: Shutterstock)

If you haven't yet applied Microsoft's latest Windows security updates, you need to do so now. That's because the updates fix a flaw that could crash or hack Windows 10 with a single character displayed in a web page.

We'll spare you the technical details of how this works — you can read all about it in this Google Project Zero forum post — but an attack would involve a maliciously crafted TrueType font embedded in a web page. 

A visitor to the page would have to click "OK" to view (and therefore download) the malicious font, but it's not too hard to trick people into doing things online.

A successful attack would crash a PC running any version of Windows 10, as long as the machine hasn't installed the Feb. 9 patches. Windows 8.1, the only other version of Windows that Microsoft still supports, doesn't seem to be affected.

If you'd like to try out the attack yourself, Google Project Zero lets you download a proof-of-concept malicious font and a web page to display it here. The attack should work in the Google Chrome, Microsoft Edge and Mozilla Firefox browsers if the PC hasn't recently been updated. Try this at your own risk.

We tried out the proof-of-concept ourselves and just saw a fuzzy version of the "Æ" character you may remember from studying "Beowulf" in school. But our computer has installed this month's Microsoft updates.

As far as we know, there are no reports of this flaw being used in real-life attacks. That may change now that the secret is out.

Google's Dominik Röttsches and Mateusz Jurczyk found the flaw last November and gave Microsoft 90 days to fix it.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.